|
@@ -3,7 +3,6 @@ class Xss {
|
|
|
constructor(xssOption) {
|
|
constructor(xssOption) {
|
|
|
const xss = require('xss');
|
|
const xss = require('xss');
|
|
|
|
|
|
|
|
- const isEnabledXssPrevention = xssOption.isEnabledXssPrevention;
|
|
|
|
|
const tagWhiteList = xssOption.tagWhiteList;
|
|
const tagWhiteList = xssOption.tagWhiteList;
|
|
|
const attrWhiteList = xssOption.attrWhiteList;
|
|
const attrWhiteList = xssOption.attrWhiteList;
|
|
|
|
|
|
|
@@ -12,20 +11,15 @@ class Xss {
|
|
|
// default
|
|
// default
|
|
|
let option = {
|
|
let option = {
|
|
|
stripIgnoreTag: true,
|
|
stripIgnoreTag: true,
|
|
|
- stripIgnoreTagBody: false,
|
|
|
|
|
|
|
+ stripIgnoreTagBody: false, // see https://github.com/weseek/growi/pull/505
|
|
|
css: false,
|
|
css: false,
|
|
|
whiteList: whiteListContent,
|
|
whiteList: whiteListContent,
|
|
|
escapeHtml: (html) => html, // resolve https://github.com/weseek/growi/issues/221
|
|
escapeHtml: (html) => html, // resolve https://github.com/weseek/growi/issues/221
|
|
|
};
|
|
};
|
|
|
|
|
|
|
|
- if (isEnabledXssPrevention) {
|
|
|
|
|
- tagWhiteList.forEach(tag => {
|
|
|
|
|
- whiteListContent[tag] = attrWhiteList;
|
|
|
|
|
- });
|
|
|
|
|
- }
|
|
|
|
|
- else {
|
|
|
|
|
- option['stripIgnoreTag'] = false;
|
|
|
|
|
- }
|
|
|
|
|
|
|
+ tagWhiteList.forEach(tag => {
|
|
|
|
|
+ whiteListContent[tag] = attrWhiteList;
|
|
|
|
|
+ });
|
|
|
|
|
|
|
|
// create the XSS Filter instance
|
|
// create the XSS Filter instance
|
|
|
this.myxss = new xss.FilterXSS(option);
|
|
this.myxss = new xss.FilterXSS(option);
|
Yuki Takei